b'                                            SOCIAL SECURITY\n\nMEMORANDUM\nDate:   March 10, 2004                                                                 Refer To:\n\nTo:     Martin H. Gerry\n        Deputy Commissioner\n         for Disability and Income Security Programs\n\nFrom:   Assistant Inspector General\n         Audit\n\nSubject: Evaluation of the Accelerated eDib System \xe2\x80\x93 Fifth Assessment (A-14-04-14057)\n\n\n\n        The Social Security Administration\xe2\x80\x99s (SSA) Office of the Inspector General (OIG) has\n        completed its fifth assessment in our ongoing evaluation of the Accelerated eDib\n        (AeDib) initiative (formally the Electronic Disability or eDib initiative). We conducted this\n        fifth assessment from August 2003 through March 2004 at SSA Headquarters in\n        Baltimore, Maryland. While we did not conduct an audit of the AeDib process, our\n        assessment addressed those issues that arose at the AeDib Steering Committee, or\n        where we were asked to provide comments to the Office of Systems.\n\n        BACKGROUND\n\n        As part of our participation in the Accelerated eDib (AeDib) Steering Committee and\n        prior evaluations1 of the AeDib project we recommended that the Agency conduct a risk\n        assessment of the AeDib system. The Clinger-Cohen Act of 1996 (CCA)2 requires\n        proposed IT projects be qualitatively and quantitatively assessed for risk and return.\n        The Office of Management and Budget (OMB) also requires Federal agencies to\n        consider risk when deciding what security controls to implement.3 OMB requires a risk-\n        based approach to determine adequate security, and it encourages agencies to\n        consider major risk factors, such as the value of the system or application, threats,\n        vulnerabilities, and the effectiveness of current or proposed safeguards.\n\n\n        1\n         Assessment of the Electronic Disability Project\xe2\x80\x99s Pre-2005 Business Process, (A-14-02-22066)\n        February 26, 2002, and Evaluation of the Accelerated eDib System Third Assessment, (A-14-03-13047)\n        December 20, 2002.\n        2\n         Sections 5122(a), 5122(b)(3), and 5122(b)(5) of the CCA, Pub. L. No. 104-106 \xc2\xa7\xc2\xa7 5122(a), 5122(b)(3),\n        5122(b)(5), 110 Stat. 186, 683 (1996).\n        3\n            OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources, page 8.\n\x0cPage 2 - Martin H. Gerry\n\nThe National Institute of Standards and Technology (NIST) also recognizes the\nimportance of conducting risk assessments for securing computer-based resources. A\nsecurity risk assessment enables management to make informed risk-based business\ndecisions.\n\nThe purposes of our fifth assessment of AeDib were to: (1) evaluate the five risk\nassessments issued by the Agency in July 2003; and (2) determine whether the Agency\nshould perform a Post-Implementation Review of AeDib before the scheduled national\nroll-out. The OIG had earlier called for these risk assessments, first at the AeDib\nSteering Committee meetings and later, formally, in its third AeDib assessment. We\nwere asked by the Office of Systems to evaluate the Agency\xe2\x80\x99s risk assessments for\nAeDib. We reported our findings separately to the Office of Systems, which has already\ntaken action to improve these assessments.\n\nRESULTS OF OUR EVALUATION OF THE FIVE AeDib RISK ASSESSMENTS\n\nThe five risk assessments for which the Agency received contractor assistance to\ncomplete and then requested the OIG to evaluate are as follows:\n\n     1.   The Electronic Disability Collection System.\n     2.   The Document Management Architecture.\n     3.   AeDib Internet Applications.\n     4.   The Office of Hearings and Appeals Case Processing and Management\n          System.\n     5.   The Disability Determination Services (DDS) AS/400.\n\nThe first four assessments were performed to address the risks to the major AeDib\nsoftware subsystems (See Table 1 in Attachment A for a summary of the software\nrelated recommendations), while the fifth addressed the hardware system that supports\nthe disability claims processing software used by the DDSs in the 50 States and 4 other\njurisdictions (See Table 2 in Attachment B for a summary of the AS/400 related\nrecommendations).\n\nWe found that the text supporting the security plan recommendations in all four software\nrisk assessments used general support system terminology instead of major application\nterminology. Additionally, the Agency agreed with our conclusion that the four software\nrisk assessments should be updated. We found that SSA had already begun\naddressing the issues the contractor raised about the AS/400. We recommend that the\nAgency amend the text supporting the security plan recommendations and update the\nfour software risk assessments. We recommend the Agency have its contractor review\nthe pertinent control documents that SSA recently issued and update the AS/400\nassessment. We also recommend the Agency conduct Post-Implementation Reviews\nof each AeDib software subsystem during Fiscal Year 2005.\n\x0cPage 3 - Martin H. Gerry\n\nFour Risk Assessment Recommendations Caused Delays\n\nSSA issued four risk assessments of the Agency\xe2\x80\x99s AeDib software systems containing\nrecommendations using the terminology of OMB\xe2\x80\x99s general support system4 (GSS)\ncriteria. However, the Agency did not determine that all four software systems met\nOMB\xe2\x80\x99s definition of a major application5 (MA) until after the risk assessments were\nissued in July 2003. As a result, the recommendations in the risk assessment did not\ncall for: (1) preparation of an Application Security Plan; and (2) conducting a review of\nthe application controls of these four systems. Shortly after we met with the Agency on\nOctober 7, 2003, we brought up the MA issue and the Agency took immediate action to\nbegin implementing the two remaining recommendations. The Agency completed the\nApplication Security Plans in December 2003 and expects to complete the review of the\napplication controls of the four systems by March 2004.\n\nThe Four Software Risk Assessments Needed Updating\n\nWe found that each risk assessment needed updating. In each of the four risk\nassessments, SSA issued a set of five virtually identical recommendations. Appendix B\nin all four software risk assessments did not cite any evidentiary support for 4 of the 5\nrecommendations made by the Agency. For the remaining recommendation in 2 of the\napplications, Appendix B did cite evidentiary support for 6 of the 10 items reviewed, but\ndid not cite any support for the 10 conclusions in the other 2 applications.\n\nAveraging the results of the four risk assessments, each risk assessment concluded\nthat the Agency did not plan to implement key security requirements even though about\n40 percent of the requirements (39 of 98) designated by SSA as \xe2\x80\x9cNot Planned for\nImplementation\xe2\x80\x9d were required by the Agency\'s Information System Security Handbook\n(Handbook). However, we were assured by Agency officials that the risk assessments\nsimply needed updating and that SSA would in fact implement the requirements called\nfor by the Agency\xe2\x80\x99s Handbook.\n\n\n\n\n4\n A "general support system" or "system" means an interconnected set of information resources under the\nsame direct management control, which shares common functionality. A system normally includes\nhardware, software, information, data, applications, communications, and people. A system can be, for\nexample, a local area network (LAN) including smart terminals that supports a branch office, an agency-\nwide backbone, a communications network, and a departmental data processing center including its\noperating system and utilities. OMB Circular No. A-130, Appendix III, section A.2.c.\n5\n  A "major application" means an application that requires special attention to security due to the risk and\nmagnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the\ninformation in the application. Note: All Federal applications require some level of protection. Certain\napplications, because of the information in them, however, require special management oversight and\nshould be treated as major. Adequate security for other applications should be provided by security of\nthe systems in which they operate. Source OMB Circular No. A-130, Appendix III, section A.2.d.\n\x0cPage 4 - Martin H. Gerry\n\nThe Disability Determination Services IBM AS/400 Risk Assessment\n\nIn July 2003, SSA released a risk assessment that addressed the adequacy of the\nmanagement, operational and technical security controls in place to secure the DDS\nAS/400 environment that resides within each DDS. The document identified two issues\ndetailed in Table 2 in Attachment B, relating to the DDS AS/400, and recommended the\ndevelopment of: (1) a System Security Plan for the AS/400 system; and (2) a formal\ncertification and accreditation process.\n\nHowever, prior to the release of the risk assessment, the Agency\xe2\x80\x99s existing guidance\nalready addressed these two issues and provided management with the operational and\ntechnical security controls that DDSs should implement to protect sensitive SSA data.\nThe guidance is located in SSA\xe2\x80\x99s DDS Security Document and risk model for AS/400s.\nTherefore, SSA should have provided its contractor with these documents so that the\ncontractor could have reviewed the adequacy of SSA\xe2\x80\x99s existing guidance, and assessed\nhow this guidance could be used to mitigate risks for the DDS AS/400s.\n\nWhile SSA\xe2\x80\x99s recent requirements for the DDSs are a major step to address the security\nneeds at the DDSs, the DDSs still need to enact the Agency\xe2\x80\x99s requirements to make\nthem effective. Therefore, once the DDSs implement these new requirements, the\nsecurity of SSA\xe2\x80\x99s data should be greatly enhanced. Furthermore, security at the DDSs\nwill take on increased importance in 2004, when SSA begins granting the DDSs direct\naccess to the Agency\xe2\x80\x99s electronic folder. Since the electronic folder will contain\nsensitive medical, claim and identity information, someone gaining improper access\nthrough a DDS could obtain access to the Agency\xe2\x80\x99s data.\n\nSSA Should Perform a Post-Implementation Review of the Agency\xe2\x80\x99s New\nElectronic Disability Process Before the National Roll-Out is Completed\n\nWe believe the current Electronic Disability System is being implemented in a more\nefficient manner than the two previous electronic disability projects.6 One reason for\nimprovement during this most recent project is because the Agency conducted a\npost-implementation review of the prior application. The post-implementation review\nhelped the Agency assess why the previous systems had to be redirected, costing SSA\nabout $70 million.7 Office of Systems officials told us that they plan to do a\npost-implementation review before the national roll-out of the AeDib software is\ncomplete.\n\n\n\n\n6\n SSA initiated the Modernized Disability System to redesign the disability claims process in 1992. The\nproject was redesignated the Reengineered Disability System in 1994.\n7\n Information Technology Capital Planning and Investment Control Process at the Social Security\nAdministration, (A-14-99-12004) March 30, 2001, page D-2.\n\x0cPage 5 - Martin H. Gerry\n\nIn February 1997, the General Accounting Office (GAO) issued guidance8 to all\nExecutive Branch agencies for evaluating IT investment decision making for\nimplementing the Clinger-Cohen Act of 1996 (CCA) and other major legislation. While\nSSA is not required to adopt this guidance, the Federal Chief Information Officer\nCouncil has endorsed this guidance as \xe2\x80\x9cbest practices\xe2\x80\x9d for implementing CCA. The\nguidance provides a three-phase process (Selection, Control, and Evaluation) for capital\nplanning and IT investments (see graphic of process below).\n\n\n\n    S E LE C TIO N             C O N TR O L           E V A LU A TIO N\n       PHASE                     PHASE                    PHASE\n\n\n\n                             LE S S O N S LE A R N E D\n\n\nThe Evaluation phase \xe2\x80\x9ccloses the loop\xe2\x80\x9d on the IT investment management process by\nconducting post-implementation reviews. Post-Implementation reviews identify areas\nwhere future decision making can be enhanced. Lessons learned during the evaluation\nphase should be geared toward modifying future selection and control decisions.\nValuable lessons learned can be incorporated into the Selection and Control phases to\nhelp minimize risk and maximize benefits on future IT projects. We highly suggest that\nthe Agency should perform a post-implementation review during Fiscal Year 2005.\nFinally, the Agency needs to incorporate its new electronic disability system into its\nFederal Managers\xe2\x80\x99 Financial Integrity Act reviews that it contracts-out for audit.\n\n\n\n\n8\n Assessing Risks and Returns: A Guide for Evaluating Federal Agencies\xe2\x80\x99 IT Investment Decision-making,\nGAO/AIMD-10.1.13, February 1997.\n\x0cPage 6 - Martin H. Gerry\n\nThere is no expectation for the Agency to formally respond to this document. If you\nhave any questions or comments, please call me or have your staff contact Kitt Winter,\nDirector, Data Analysis and Technology Audit Division at (410) 965-9702, or Al Darago\nat (410) 965-9710.\n\n\n\n\n                                        S\n                                        Steven L. Schaeffer\n\nAttachments\n\ncc:\nChief Information Officer\nDeputy Commissioner for Systems\nDeputy Commissioner for Operations\nActing Inspector General\nAssistant Deputy Commissioner for\n  Disability and Income Security Programs\nAssociate Commissioners for\n  Disability Programs\nChair AeDib Steering Committee\nDirector, Audit Management and Liaison Staff\n\x0c                                                                                       Attachment A\n\n\n     Table 1: Findings for the Four Software Risk Assessments\n                         BLSR\nNumber     Risk Level              Finding Description                     Recommendation\n                          No.\n                                      Management Control\n6.1.1.1    Medium       MC1.1-   A System Security Plan          To comply with the requirements of\n                        1.8      (SSP) has not been              OMB A-130, SSA should develop a\n                                 completed and approved for      SSP for all four software components of\n                                 all four software               AeDib.\n                                 components of AeDib.\n6.1.1.2    Medium       MC3.1-   Security controls need to be    The security controls for all four\n                        3.10     reviewed on a periodic          software components should be\n                                 basis.                          reviewed a minimum of once every\n                                                                 3 years or whenever any of the four\n                                                                 application conditions change.\n6.1.1.3    Medium       MC5.1-   A formal system                 A formal C&A process should be\n                        5.16     Certification and               completed for AeDib to ensure that all\n                                 Accreditation (C&A) needs       security controls are implemented.\n                                 to be completed for AeDib.\n                                      Operational Control\n6.1.2.1    High         OC1.1-   A contingency plan or           Complete a contingency plan and COOP\n                        1.43     continuity of operations plan   for all four software components of\n                                 (COOP) needs to be              AeDib. The plan should include\n                                 completed for all four          preparations for maintaining all four\n                                 software components of          software components of AeDib in the\n                                 AeDib.                          event of a disaster.\n6.1.2.2    Medium       OC2.1-   A formal documented             A formal CMP should be developed to\n(DMA                    2.3      configuration management        prevent possible loss of data and\nonly                             process (CMP) needs to be       resources on the Document\nfinding)                         in place for new or revised     Management Architecture (DMA)\n                                 hardware/software testing,      system.\n                                 upgrades, and modifications.\n                                       Technical Control\n6.1.3.1    High         TC3.1-   Auditing functionality for      Auditing must be configured to capture\n                        3.21     all four software               security events such as date and time of\n                        MC3.1    components of AeDib             the event, applicant associated with the\n                                 requires more detailed          event, type of event, actions performed,\n                                 development of audit            system resources accessed, and the\n                                 requirements.                   success or failure of the event. In\n                                                                 addition, the audit trail should provide\n                                                                 information about the originator of\n                                                                 electronic transactions (i.e., sending\n                                                                 location, sending entity) and other\n                                                                 measures to ensure the integrity of the\n                                                                 document.\n\x0c                                                                                 Attachment B\n\n\n\n\n                        Table 2: DDS AS/400 Findings\n                       BLSR\nNumber    Risk Level              Finding Description                 Recommendation\n                        No.\n                                      Management Control\n6.1.1.1   Medium       MC2.1-   A System Security Plan      To comply with the requirements of\n                       2.8      (SSP) has not been          OMB A-130, SSA should develop a\n                                completed and approved      SSP for the DDS AS/400.\n                                for the DDS AS/400.\n6.1.1.2   Medium       MC7.1-   A formal system             A formal C&A process should be\n                       7.16     Certification and           completed for AeDib to ensure that all\n                                Accreditation (C&A) needs   security controls are implemented.\n                                to be completed for\n                                AeDib.\n\x0c'